Goal: Extract the picture of the Girl at startup and write a tutorial on how you have done it.

colorpicker.rar

Ok i have not a good dumper

But i think is packed with PeInject you have inejcted a splash.dll

set a breakpoint here and step into

0043D2D9 CALL EAX

Now set a breakpoint here

013C1198 CALL 013C12E2 ; JMP to user32.LoadBitmapA

return from LoadBitmapA ist your bitmap

Greets

Edited December 1, 201212 yr by ragdog

Thank you ragdog. But this wont extract the picture. Yes i used PeInject.

return from LoadBitmapA have you the pointer of this picture ;-)

Now must you dump it and write the Bitamp header

Here is a example for safe the bitmap (dumper)

from rohitab

//if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function)
void SaveBitmap(char *szFilename,HBITMAP hBitmap)
{
HDC hdc=NULL;
FILE* fp=NULL;
LPVOID pBuf=NULL;
BITMAPINFO bmpInfo;
BITMAPFILEHEADER bmpFileHeader;
do{
hdc=GetDC(NULL);
ZeroMemory(&bmpInfo,sizeof(BITMAPINFO));
bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER);
GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS);
if(bmpInfo.bmiHeader.biSizeImage<=0)
bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8;
if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL)
{
	 MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror);
	 break;
}
bmpInfo.bmiHeader.biCompression=BI_RGB;
GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS);
if((fp = fopen(szFilename,"wb"))==NULL)
{
	 MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror);
	 break;
}
bmpFileHeader.bfReserved1=0;
bmpFileHeader.bfReserved2=0;
bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage;
bmpFileHeader.bfType='MB';
bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER);
fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp);
fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp);
}while(false);
if(hdc) ReleaseDC(NULL,hdc);
if(pBuf) free(pBuf);
if(fp) fclose(fp);
}

Edited December 1, 201212 yr by ragdog

Small modification of ragdog's idea:

1) breakpoint on LoadBitmapA;

2) look at parameters to the call:

0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198
0012F744 00AC0000 |hInst = 00AC0000
0012F748 00AC3000 \RsrcName = "MyBitmap"

So, the DLL is loaded at address AC0000.

3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt.

4) Open dump with CFF and use its resource editor function to extract BMP.

Yes to use tools is your solution good kao

but i think hassan try to coding a extractor like thinstall or not hassan ?

Yes Ragdog. Trying to coding a extractor

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]